製品・ソフトウェアに関する情報

JVN脆弱性詳細

valgrind における任意のプログラムを実行される脆弱性

Title	valgrind における任意のプログラムを実行される脆弱性
Summary	valgrind は、検索パスに関する処理に不備があるため、任意のプログラムを実行される脆弱性が存在します。
Possible impacts	ローカルユーザにより、カレントワーキングディレクトリのトロイの木馬 .valgrindrc ファイルを介して、任意のプログラムを実行される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Oct. 31, 2008, midnight
Registration Date	Dec. 20, 2012, 6:52 p.m.
Last Update	Dec. 20, 2012, 6:52 p.m.

Affected System

valgrind

valgrind 3.4.0 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2008-4865	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4865
National Vulnerability Database (NVD)
2	CVE-2008-4865	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4865

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-Other	https://www.ipa.go.jp/security/vuln/CWE.html#CWEOther

ベンダー情報

No	Name	URL
valgrind
1	Valgrind-3.4.0 is available	http://sourceforge.net/mailarchive/forum.php?thread_name=200901032045.17604.jseward%40acm.org&forum_name=valgrind-announce

Change Log

No	Changed Details	Date of change
0	[2012年12月20日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2008-4865

Summary	Untrusted search path vulnerability in valgrind before 3.4.0 allows local users to execute arbitrary programs via a Trojan horse .valgrindrc file in the current working directory, as demonstrated using a malicious --db-command options. NOTE: the severity of this issue has been disputed, but CVE is including this issue because execution of a program from an untrusted directory is a common scenario.
Summary	Una vulnerabilidad de ruta de búsqueda no confiable en valgrind anterior a la versión 3.4.0, permite a los usuarios locales ejecutar programas arbitrarios por medio de un archivo .valgrindrc de tipo caballo de Troya en el directorio de trabajo actual, como se demuestra utilizando una configuración de opciones de comando --db- maliciosas . NOTA: la gravedad de este problema se ha cuestionado, pero el CVE incluye este problema porque la ejecución de un programa desde un directorio que no es de confianza es un escenario común.
Publication Date	Nov. 1, 2008, 9 a.m.
Registration Date	Jan. 29, 2021, 1:44 p.m.
Last Update	April 23, 2026, 9:35 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:valgrind:valgrind::rc1::::::*		3.4.0
cpe:2.3:a:valgrind:valgrind:1.9.6:::::::*
cpe:2.3:a:valgrind:valgrind:2.0.0:::::::*
cpe:2.3:a:valgrind:valgrind:2.1.0:::::::*
cpe:2.3:a:valgrind:valgrind:2.1.1:::::::*
cpe:2.3:a:valgrind:valgrind:2.2.0:::::::*
cpe:2.3:a:valgrind:valgrind:2.4.1:::::::*
cpe:2.3:a:valgrind:valgrind:2.4.1::powerpc:::::
cpe:2.3:a:valgrind:valgrind:3.0.0:::::::*
cpe:2.3:a:valgrind:valgrind:3.0.1:::::::*
cpe:2.3:a:valgrind:valgrind:3.1.0:::::::*
cpe:2.3:a:valgrind:valgrind:3.1.1:::::::*
cpe:2.3:a:valgrind:valgrind:3.2.0:::::::*
cpe:2.3:a:valgrind:valgrind:3.2.1:::::::*
cpe:2.3:a:valgrind:valgrind:3.2.2:::::::*
cpe:2.3:a:valgrind:valgrind:3.2.3:::::::*
cpe:2.3:a:valgrind:valgrind:3.3.0:::::::*
cpe:2.3:a:valgrind:valgrind:3.3.0:rc1::::::
cpe:2.3:a:valgrind:valgrind:3.3.0:rc2::::::
cpe:2.3:a:valgrind:valgrind:3.3.0:rc3::::::
cpe:2.3:a:valgrind:valgrind:3.3.1:::::::*
cpe:2.3:a:valgrind:valgrind:3.3.1:rc1::::::

Related information, measures and tools

No	URL	refsource
1	http://lists.opensuse.org/opensuse-security-announce/2009-01/msg00004.html	cve@mitre.org
2	http://secunia.com/advisories/33568	cve@mitre.org
3	http://security.gentoo.org/glsa/glsa-200902-03.xml	cve@mitre.org
4	http://sourceforge.net/mailarchive/forum.php?thread_name=200901032045.17604.jseward%40acm.org&forum_name=valgrind-announce	cve@mitre.org
5	http://www.openwall.com/lists/oss-security/2008/10/27/4	cve@mitre.org
6	http://www.openwall.com/lists/oss-security/2008/10/28/5	cve@mitre.org
7	http://www.openwall.com/lists/oss-security/2008/10/29/5	cve@mitre.org
8	http://www.openwall.com/lists/oss-security/2008/10/29/9	cve@mitre.org
9	http://lists.opensuse.org/opensuse-security-announce/2009-01/msg00004.html	af854a3a-2127-422b-91ae-364da2661108
10	http://secunia.com/advisories/33568	af854a3a-2127-422b-91ae-364da2661108
11	http://security.gentoo.org/glsa/glsa-200902-03.xml	af854a3a-2127-422b-91ae-364da2661108
12	http://sourceforge.net/mailarchive/forum.php?thread_name=200901032045.17604.jseward%40acm.org&forum_name=valgrind-announce	af854a3a-2127-422b-91ae-364da2661108
13	http://www.openwall.com/lists/oss-security/2008/10/27/4	af854a3a-2127-422b-91ae-364da2661108
14	http://www.openwall.com/lists/oss-security/2008/10/28/5	af854a3a-2127-422b-91ae-364da2661108
15	http://www.openwall.com/lists/oss-security/2008/10/29/5	af854a3a-2127-422b-91ae-364da2661108
16	http://www.openwall.com/lists/oss-security/2008/10/29/9	af854a3a-2127-422b-91ae-364da2661108

Common Vulnerabilities List

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:valgrind:valgrind::rc1::::::*		3.4.0
cpe:2.3:a:valgrind:valgrind:1.9.6:::::::*
cpe:2.3:a:valgrind:valgrind:2.0.0:::::::*
cpe:2.3:a:valgrind:valgrind:2.1.0:::::::*
cpe:2.3:a:valgrind:valgrind:2.1.1:::::::*
cpe:2.3:a:valgrind:valgrind:2.2.0:::::::*
cpe:2.3:a:valgrind:valgrind:2.4.1:::::::*
cpe:2.3:a:valgrind:valgrind:2.4.1::powerpc:::::
cpe:2.3:a:valgrind:valgrind:3.0.0:::::::*
cpe:2.3:a:valgrind:valgrind:3.0.1:::::::*
cpe:2.3:a:valgrind:valgrind:3.1.0:::::::*
cpe:2.3:a:valgrind:valgrind:3.1.1:::::::*
cpe:2.3:a:valgrind:valgrind:3.2.0:::::::*
cpe:2.3:a:valgrind:valgrind:3.2.1:::::::*
cpe:2.3:a:valgrind:valgrind:3.2.2:::::::*
cpe:2.3:a:valgrind:valgrind:3.2.3:::::::*
cpe:2.3:a:valgrind:valgrind:3.3.0:::::::*
cpe:2.3:a:valgrind:valgrind:3.3.0:rc1::::::
cpe:2.3:a:valgrind:valgrind:3.3.0:rc2::::::
cpe:2.3:a:valgrind:valgrind:3.3.0:rc3::::::
cpe:2.3:a:valgrind:valgrind:3.3.1:::::::*
cpe:2.3:a:valgrind:valgrind:3.3.1:rc1::::::